Clouds and ContractsPage address: http://www.mnsu.edu/its/security/ciso/clouds_contracts.html
Dropbox and Google Drive are some of the easiest and most user friendly cloud storage, sharing and collaboration tools out there. They are certainly very popular. As an added bonus, they are free. Right? Well … you’ve heard the saying “there’s no such thing as a free lunch.” I’m afraid that is true in this case as well. While you may not be paying dollars for the service, you may be gambling your intellectual property and potentially your job by using those services.
OK, so why don’t we just get a contract with Dropbox, Google, Amazon, etc? It’s not quite as simple as having the Vice President of Finance and Administration “accept” the terms. Many times, these terms/contracts bind the University to terms that are in violation of State Law. ITS has tried to get contracts with Google and met with little success in negotiating terms that are acceptable to the State of Minnesota and Minnesota State. Let’s take a look at some of the terms that are objectionable to Minnesota State and the state.
Business uses of our Services
If you are using our services on behalf of a business, that business accepts these terms. It will hold harmless and indemnify Google and its affiliates, officers, agents and employees from any claim, suit or action arising from or related to the use of the Services or violation of these terms, including any liability or expense arising from claims, losses, damages, suits, judgements, litigation costs and attorneys’ fees.
To the fullest extent permitted by law, except for any liability for Dropbox’s or its affiliates’ fraud, fraudulent misrepresentation, or gross negligence, in no event will Dropbox, its affiliates, suppliers or distributors be liable for:
(a) any indirect, special, incidental, punitive, exemplary or consequential damages, or
(b) any loss of use, data, business, or profits, regardless of legal theory.
Minnesota State Board Procedure 5.14.5 (Purchasing), Part 9:
“All vendor prepared software license agreements and maintenance agreements must be reviewed by the system legal counsel.”
Minnesota State Board Procedure 5.14.5, Part 5. Encumbrance:
“The state cannot agree to indemnify third parties or hold them harmless (Minnesota Statutes §16A.138; Minn. Const. Art. XI, Sec. 1).”
By using Google’s and/or Dropbox’s software and accepting their Terms of Service, you are agreeing to indemnify Google and Dropbox in violation of Minnesota State Board Policy, Minnesota Law, and Minnesota Constitution. This may result in personal liability to you for any infraction by Google and is just cause for termination of employment (Minnesota State Board Procedure 5.14.2, Part 4 Encumbrance).
Here are some other terms that are in violation of Minnesota State Board Policy and/or State Law:
- Indemnification or hold harmless clauses
- Arbitration or mediation clauses
- Choice of law or venue in other states or foreign countries
- Attorneys’ fees and other uncapped financial obligations clauses
- Privacy Policies that aren’t private or transmit our data to third parties (in violation of FERPA direct control regulations)
- Clauses that allow the vendor to unilaterally change the terms, at any time, without notice to us.
- Embedded URLs
- “As may be modified from time to time at vendor’s sole discretion.”
- (aka “This document is meaningless”
So, what does all this mean? What can I use?
Currently, Minnesota State has signed contracts with Microsoft for its Office 365 services. Microsoft and Minnesota State were able to agree to terms that satisfied each other’s legal counsels. One part of this agreement is Microsoft’s agreement to be a “School Official” subject to FERPA and agreeing to “abide by the limitations and requirements imposed by FERPA on school officials, including agreeing that it will not scan institutional emails or documents for advertising purposes.” By agreeing to be a “School Official,” Microsoft has subjected itself to the same privacy and security requirements that Minnesota State and Minnesota State Mankato are subjected to under FERPA.
When it comes to general cloud storage and collaboration options for Faculty and Staff, Microsoft’s Office 365 is the only service that has been approved by Minnesota State and as such is the only cloud storage and collaboration service supported by Minnesota State University, Mankato ITS. Other cloud agreements for more specific purposes have been agreed to as well. Each of these services has had to go through the same legal review as Microsoft’s Office 365 had to go through.
If you’d like to know more about what cloud services have been approved and which ones may be potentials, please contact the ITS Service Desk at x6654 or firstname.lastname@example.org. ITS will coordinate with the appropriate offices at the University and Minnesota State to look at new contracts and services as they fit within the mission of the University.